From Mercury!bagpuss.demon.co.uk!fileserv Sun Dec 25 19:44:54 1994 Return-Path: Received: by chinet.chinet.com (/\==/\ Smail3.1.28.1 #28.1{chinet}) id ; Sun, 25 Dec 94 19:44 CST Received: by mercury.mcs.com (/\==/\ Smail3.1.28.1 #28.5) id ; Sun, 25 Dec 94 19:04 CST Received: from bagpuss.demon.co.uk by post.demon.co.uk id aa14895; 26 Dec 94 1:03 GMT Received: (root@localhost) by bagpuss.demon.co.uk (99.9/99.9) id BAA02963; Mon, 26 Dec 1994 01:03:49 GMT Date: Mon, 26 Dec 1994 01:03:49 GMT From: "[8LGM] Fileserver" Message-Id: <199412260103.BAA02963@bagpuss.demon.co.uk> To: Lauren Harper Reply-To: 8lgm-fileserver@bagpuss.demon.co.uk Subject: [8lgm]-Advisory-4.UNIX.gopher.12-Feb-1992 Status: O WE RESERVE THE RIGHT TO PUBLISH NAMES OF PEOPLE REQUESTING INFORMATION FROM OUR SERVER. IF YOU DO NOT AGREE TO THIS, PLEASE DO NOT REQUEST INFORMATION. This document is Copyright(C) 1994 by [8LGM] and your usage of the information contained within this document constitutes your agreement to render [8LGM] free from any direct or consequential liabililities or damages which may be incurred as the result of such usage. [8LGM] makes this information available in good faith, to make it possible for System Administrators to have the necessary tools to be able to fix their own systems. However [8LGM] does not endorse the usage of this information for any purposes. Permission is hereby granted for usage only in accordance with the conditions of usage as set forth herein. [8lgm]-Advisory-4.UNIX.gopher.12-Feb-1992: This advisory has been sent to: comp.security.unix INFOHAX BUGTRAQ CERT/CC Gopher Maintainers =========================================================================== [8lgm]-Advisory-4.UNIX.gopher.12-Feb-1992 PROGRAM: gopher(1) (/usr/local/bin/gopher) UMN gopher client VULNERABLE OS's: All versions are believed to have this vulnerability. DESCRIPTION: Shell access can be gained from gopher(1), even when running in secure mode. IMPACT: gopher guest accounts are not secure. REPEAT BY: This example demonstrates how to use gopher running in secure mode to gain access to sh. Please do not do this unless you have permission. Create or modify a .Links file on any public gopher server, for example: Type=8 Name=I'll give you a shell Host=;/bin/sh Port= Path= Log into the gopher account, and access the server and directory containing the modified .Links file. Select the "I'll give you a shell" item, and after quiting telnet the user has access to sh. It is also possible to create an entry that would not inform the user of a gopher client of the commands that are about to be executed. It is therefore possible to leave commands on a gopher server for unsuspecting users to execute. ADVICE: 1. Display techinical information about a link before connecting to other hosts using gopher. 2. Consider disabling guest gopher logins in the interim. FEEDBACK AND CONTACT INFORMATION: 8lgm-bugs@bagpuss.demon.co.uk (To report security flaws) 8lgm-request@bagpuss.demon.co.uk (Request for [8lgm] Advisories) 8lgm@bagpuss.demon.co.uk (General enquiries) System Administrators are encouraged to contact us for any other information they may require about the problems described in this advisory. We welcome reports about which platforms this flaw does or does not exist on. ===========================================================================